Search

Subscribe

The Security Threat of Forged Law-Enforcement Credentials

Here's a U.S. Army threat assessment of forged law-enforcement credentials.

The authors bought a bunch of fake badges:

Between November 2009 and March 2010, undercover investigators were able to purchase nearly perfect counterfeit badges for all of the Department of Defense's military criminal investigative organizations to include the Army Criminal Investigation Command (Army CID), Naval Criminal Investigative Service (NCIS), Air Force Office of Special Investigations (AFOSI), and the Marine Corps Criminal Investigation Division (USMC CID). Also, purchased was the badge for the Defense Criminal Investigative Service (DCIS).

Also available for purchase were counterfeit badges of 42 other federal law enforcement agencies including the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), Alcohol, Tobacco and Firearms (ATF), Secret Service, and the US Marshals Service.

Of the other federal law enforcement agency badges available, the investigators found exact reproductions of the badges issued to Federal Air Marshals, Transportation Security Administration (TSA) Screeners, TSA Inspectors, and Special Agents of the TSA Office of Inspector General.

Average price: $60.

Then, they tried using them:

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD's military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area.

[...]

Once being granted access to the military installation or federal facility, the investigators proceeded to areas that were designed as "Restricted Area" or "Authorized Personnel Only" and were able to wander around without being challenged by employees or security personnel. On one military installation, investigators were able to go to the police station and request local background checks on several fictitious names. All that was required was displaying the fraudulent badge and credentials to a police officer working the communications desk.

The authors didn't try it getting through airport security, but they mentioned a 2000 GAO report where investigators did:

The investigation found that investigators were 100% successful in penetrating 19 federal sites and 2 commercial airports by claiming to be law enforcement officers and entering the facilities unchecked by security where they could have carried weapons, listening devices, explosives, chemical/biological agents and other such materials.

Websites are listed in the report, if you want to buy your own fake badge and carry a gun onto an airplane.

When faced with a badge, most people assume it's legitimate. And even if they wanted to verify the badge, there's no real way for them to do so.

The only solution, if this counts as one, is to move to real-time verification. A credit card used to be a credential; it gave the bearer certain privileges. But the problem of forged and stolen credit cards was so pervasive that the industry moved to a system where now the card is mostly a pointer to a database. Your passport, when you present it to the customs official in your home country, is basically the same thing. I'd like to be able to photograph a law-enforcement badge with my camera, send it to some police website, and get back a real-time verification -- with picture -- that the officer is legit.

Of course, that opens up an entire new set of database security issues, but I think they're more manageable than what we have now.

This has been a problem for a while. You can buy badges for just about any police department. Apparently, the FBI is the only org which treats their badges as secure items.

There was a string of rapes in New England a decade or two back where fake badges were used to con women into following the rapist's orders. There was an attempt to ban the sale of fake badges, but it didn't happen due to the overwhelming opposition of various law enforcement organizations. Their reasoning? Collecting police badges is a popular hobby for many policemen and they didn't want to have to stop.

@Rob: I wouldn't trust that to apply only to criminals ... imagine you're a faced with a police officer trying to arrest you, and you first proceed to verify their badge -- I'm entirely convinced they'd start getting violent, since your cell phone could explode or whatever reason they come up with!

I've had a friend tell me that he got access to a team-members-only parking garage of a professional sports team.

He was between 18 and 25 years of age, was in a car full of people the same age. He did not have a badge, but he did have a sticker that resembled a badge inside his wallet. On a whim, the driver the car decided to try to get into the closed parking area. The security guard at the gate stopped them, at which point my friend brought out his wallet with the sticker-that-looked-like-a-badge. The guard asked no questions, and let them drive into restricted parking area.

It wasn't a usual high-security zone, though I suspect that most professional athletes value their private parking and secured entrance.

I would suspect that most such guards should be able to tell the difference between a badge and a sticker!

Of course, this event happened before terrorism came into the public spotlight in the U.S., so I don't know if this method still works.

When I was in the military, they would prevent members from leaving the base by taking their ID card [which was checked at the gate both inbound and outbound]. Typically, if you wanted to go out, you borrowed an ID because everybody had a shaved head it was plausible to a guard that it was the correct ID. I also worked at a secure building where there were keypads at every door expecting a 4 digit PIN. Once it was discovered that a PIN existed with the code 3333, everybody used it because it was faster than using their own (especially when carrying coffee and a bagel!). You could always tell when someone used the easy PIN because the beeps were rapid fire. Most security measures are 'worked around' in some fashion or another.

I think the purpose that is served is when an intruder is caught, it can show the intent of the intruder. If you have a fake badge, you can no longer use the "I wandered in here by mistake" excuse.

Tan overalls, hat, clipboard? Come right in and take away all of our juice products.

Saying hello with a smile to a passerby while { cutting, breaking } security locks on something to be stolen? New friend.

People believe what they see. I think an important reason for this is that, in the vast majority of cases, people are honest. It's not simply a case of respecting (or really, fearing) authority, but looking the part. Goes for phishing, tabnabbing, etc. as well.

Also, the fact that this trivially easy attack is possible (and with such a high probability of success) is yet more evidence of security theater. They've spent trillions on "security" yet haven't yet covered the basics, because the plan all along has been the security of government and not of individual liberty.

This problem has bothered me for quite some time. I like your real-time check idea, but to work it has to be available everywhere. And it has to be law that performing badge verification does not constitute resisting arrest. Also, I would argue that badges should not have pictures...just a number/barcode/etc that can be used as a search query. The search would send a picture back to you which you would then use to verify.

One thing people in law enforcement probably wouldn't like about this is that it would essentially make the identity of all badged law enforcement agents public--because anyone could run batch queries on all the badge numbers. The only time it wouldn't be public is when querying isn't a public right, and that should be fine for the cases that need them. If a member of the general public has to submit to someone's authority, it's reasonable that the list of people with that authority should be public.

"The only solution, if this counts as one, is to move to real-time verification"

How's that going to work?

There's well over 100 Fedral US badge carrying agencies. Probably at least that many again in each state. Then their is the quaint little anomaly of things like transport police (you can become your own private "public serving" police force by filling in a couple of forms).

A simple senario, there you are driving down a quite country road late at night, you get pulled over and get one of a thousand LEA badges in shoved in your face.

Assuming your cell phone is actually in range of a base station (big if in most of non urban USA) and it is not being jamed by any one of a hundred or so different makes of cellphone jamer you can buy from 10USD upwards, which database do you ring on your phone?

1, The number given on the ID badge?
2, The number directory enquires gives you?

How do you even know the LEA is real, likewise how does the directory enquiry company know the number they have listed is a legitimate organisation or number?

How do you even know your cellphone is even connected to a real network not a micro cell (500USD Universal Software Radio Peripheral, 200USD PC running GNUradio, asterix and one of the open source cell packages) running out of the questionable LEO's cars boot/trunk?

Put simply there you are on a dark country road he has a gun and a badge and you have nothing to show that he can be trusted in any way shape or form.

It's always been like that it will remain like that and there is in reality no system that can be invented that's not going to be workable in some way by somebody with the right incentives.

This brings to mind the instance about a decade ago where an airline captain refused to allow a Secret Service agent of arab descent to carry his sidearm on the plane because of inconsistent paperwork, and refused to call the number for the Secret Service that said agent provided him. The media tide was fairly overwhelmingly against the captain, but I supported him. It could well have been a case of him just not liking an arab guy with a gun, but if somebody who has no compelling reason to have a gun on a flight produces inconsistant paperwork, I don't want a call to a number the supposed agent provides to be the only line of verification that he really is who he says he is.

When I was younger, I had fake id for lots of stuff. I kept using a counterfeit student card to get discounts pretty much everywhere for years after college. For several years, I had access to the artist parking of one of Europe's biggest rock festivals using an old card I waived from a safe distance to the unpaid volunteers "guarding" the parket. When the local city council introduced paid parking all over town except for the residents of a particular area, it took nothing more than Photoshop and a lamination service to have perfect replicas of the residential cards of all twelve areas in less than an hour. We even made copies for the very helpful guy at the shop who in return forgot about the bill. A fake press card of an internationally reputed agency I had acquired in Bangkok, Thailand, in combination with a cheap camera and a phony British accent for a long time got me in for free at numerous events, no questions asked.

I could go on, and this is even without mentioning long lasting access to all kinds of facilities using passwords and pin-codes that never got changed.

I totally concur with Bruce that anything less than id that can be verified in real time nowadays is pretty much worthless in stopping anyone but the least resourceful. This is indeed posing a number of practical problems, but these can easily be solved over time. At some point, we had eID (chip) cards with X.509 certs introduced over here, all information about the citizen stored on the chip. For a while, people had to carry around a print-out of the info too because not all law enforcement and other authorities had already been equipped with card readers. Today, this is no longer an issue.

I can't find anything about it now, but a couple years ago, I recall reading a story about some carjackings. The offenders had acquired some red and blue flashing lights and fake uniforms, and would use them to pull people over. When the victims rolled down their window, they would hit them with a heavy flashlight, open the door, pull the victim out, and steal the car.

Whether or not this actually happened, it really struck me how much power someone could gain with something as simple as a badge or some bright, colored lights, and how difficult it can be to detect that they are fraudulent. I honestly can't help wondering if there's any good solution to that.

I haven't read the report, but I am not very surprised. I expect it is easy to get into a facility with a fake ID. However, many facilities have a lot more physical security than people think. Lots of cement barriers, places with guards. I think the real value one could get from 'straying' away from where you were expected to be would likely be more limited than it sounds to many people. Visitor's cars likely are forced to parked far away. Many turns may be there to stop cars from driving rapidly. People are escorted to areas they should be able to wander without to much worry. I don't doubt there aren't some problems, however.

Even without fake IDs on the market. I think many facilities could be easily compromised by stealing a badge from the nearest 7-11 / Dunkin / etc. There will be lots of people walking around still wearing their IDs.

IDs are just not going to be able to stop something like this. Even when the smartcard PIV and CAC stuff is everywhere. The card will sometimes break or get lost and there will need to be rules to deal with that.

As Clive pointed out, any scheme is going to be moderately easy to defeat, particularly in the open or at home. Of course for secure facilities, the resources for this, such as secure landlines and checkpoints, are feasible. For civilians, the best we might achieve is a scheme that would make it harder for the typical robber/rapist posing as a cop. The hard part will be coordinating laws and policies so that people can challenge an LEO without getting arrested or having to attend a beer summit. For example, we have all heard of the fake cop pulling over women on a lonely road and attacking them. Some jurisdictions let you call before pulling over. Some safety experts recommend driving on until you get to a public place (assuming you're not that far away from one). The problem is you are at the mercy of the cop as to whether you get arrested or not, vs having a policy that guarantees a citizen the right to safely proceed to a populated location. Just look at the folks arrested while bleeding and running into a hospital because they ran a light. Doesn't happen too often, but there is no clear law or policy to handle that.

"The only solution, if this counts as one, is to move to real-time verification."

I would expect law-enforcement agencies to strenuously oppose this. Not because it's inherently a bad idea, but because implementation requires an admission (or understanding, if you will) that just because someone self-identifies as a law-enforcement officer doesn't mean that they actually ARE. Given the many law-enforcement organizations more or less explicitly demand that the public trust them on little more than a verbal declaration, I think they'd be leery of giving that up.

"Given the many law-enforcement organizations more or ess explicitly demand that the public trust them on little more than a verbal declaration, I think they'd be leery of giving that up."

It's worse than that...

A UK judge actualy accepted the argument that a police uniform is sufficient proof of a bona fide Police officer... Even knowing that all the parts of the uniform are not only on sale (no questions asked) but likewise could likewise be rented from theatrical suppliers and joke shops...

He appeared to support the very odd notion that the laws regarding the impersonation of a police officer where sufficient deterrent...

I remember thinking at the time "some people need to get out more, and find out what real life is like".

As Bruce has mentioned befor real/phoney uniforms have been used to enable all kinds of criminal to succeed in their aims from petty larcenary through to full blown mass murder.

I won't name the judge, but if they ever read this, they can take it as read I think they are an idiot and not fit to sit in judgment.

Clive: you better hope you're not ever under the jurisdiction of said judge who might be reading this ;). Of course it sounds like any defendant in his courtroom is screwed anyways, unless they can somehow come up with a rather creative fairy tale for their defense.

I see another set of problems that come with verification, instant or not.

Assuming a private citizen versus an LEO: did the officer offer to let you verify him, did he give you sufficient time to decide/do the verification, how many times do you get to verify him, did you refuse to verify him, etc. What if there are multiple officers involved? When are officers exempt from verification?

A whole body of case law will ensue from such activities. I'm not saying it's a not good idea, it is, but it will become a very complex, burdensome process.

This is not news. This is olds. Loompanics had books detailing LE credential forging and lists of vendors 40 years ago.

Oddly enough the US Government (as we know completely stupid, ineffective and decrepit . . . at least the parts doing things that don't agree with our political leanings) has considered this a problem for years. And they've developed a partial solution. HSPD12

First the issue of Federal credentials. Then Access to controlled and exclusion zones then proof of identity to a citizen.

No First a Baer story. In the 90s (late I think) When Robert Baer returned to the US after a covert visit to Iraq he says he was notified by his CIA supervisor that the FBI was going to interview him. He set the seen of an average conference room with a couple of other people in it. They presented their ID cards which he didn't bother to look at since he knew how easily things were to fake. They then interrogated him about involvement in an operation to assassinate Saddam (a violation of US law) and the use of a particular alias. He denied the former and claimed no knowledge of the later.

So his action was to discard the 'proof' of identity and deal with what to him was the real issue. Someone with power (who knew him by name, knew the CI world well enough to get people in to CIA headquarters) wanted him to make statements incriminating himself (and others if it was an authentic mission) or at the least destroy his career as an CIA agent. Since need to know covers denying classified information to even lawful inquiries it would, arguably, have covered this. Though the classification system isn't supposed to suppress information of criminal activity tell that to the Abassador to Afghanistan.

The failure is not in the credential but in the gatekeepers who accepted it as proof of authority to access. (during refresher training we were alwasy told to look out for "IDs" that weren't right. FTG San Diego came up with some dillys (Bullwinkle, Boris and Natasha) But it doesn't matter that the forgery's are good with so many DIFFERENT styles for each agency and departement who's gonna recoginize an slightly off ID badge from an obscure element?

The US Commerce Dept released a standard for Personally Identifiable Verification (PIV) (FIPS201) in early 2005. The PIV card (called CAC by the DoD) is a smart card containing x.509 certificates, biometrics and other identifying informatin (agency, employee, contractor, citizen foreign national etc) in a variety of readable formats. The HSPD12 system has been deployed so that these federal credential are delivered to only people who prove their identity (two forms of ID, my record of birth and passport is what I used but there's a variety of documents it's just got to be one from column A and one from column B).

I think we can agree that this is a strong identification schema. prone to compromise? that is yet to be seen.

These cards are now being used all over the US for both IT and physical building access.

So why didn't it work at airports? They aint' federal buildings. TSA is only a tenant of the airport manager like the airlines and vendors.

Why the failure by "Federal" LEAs cause there are groups either dragging their feet or 'know better' and are refusing to convert. It is also possible that it's gonna take 5 years to convert everyone, building and system in the Federal Govt.

So that's a real time system. In place now. If it's failing to protect Us federal buildings from surreptious entry? Shame on the FSO, the CSO and the agency's security program (maybe shame on training and contracting officers as well). Facilities I've been at required (for sensitive areas) a visit request, escorts (and not the fun kind) in SBU areas and in exclusion zones, screened material, access logs indicating each individual and escort, time in / time out, positive verification of identity and validated need to know.

Fraudulent LEA vs Citizen on a lonely country road.
Risk is neutral. The risk indicator needle doesn't move at all. Citzens have NEVER been able to expect that a LEA presenting themselves (with uniform, cruiser, badge) is anything but what they purport to be. Citzens wouldn't generally recognize even a BAD forgery. Private investigators pretext like this as a matter of practice. We also hear about citizens being acosted by fake cops from time to time but it doesn't seem to be pandemic.

So progress is being made.

To me the more interesting use case for fraudlent use of LEA identity is against ISPs, FB, eBay. How do they know that a feebee with an NSL is authentic?

"The only solution, if this counts as one, is to move to real-time verification"

This is plausible. Much more of a problem is mindset.

Okay, I am using a limited secured set. You don't get this. See the original paper, and the biggest security risk. They didn't find out if random people believed the badge was real, but if they could use the credentials to gain access to secure installations and systems. Yes they can.

So, if there was a way to check credentials, that would solve this. And it can be done. At least some agencies will, if you call their dispatcher, tell an authorized person (e.g. the guard at the prison gates) if the officer or agent they are looking at:
- Exists
- Is on duty
- Is in this area
- Should be doing what you asked of them
That will solve most of this, and would have entirely thwarted the tested conditions. By the time you need biometric verification you are at movie-plot and the baddies can just hire a guy who looks like the real official who is 2 minutes behind you... etc.

That seem like a lot of effort with zillions of agencies? Well, zebras can just sit on the bench while we jump through hoops to verify them. The very few agencies someon works with every day will be on speed dial. And there are theories and plans (we'll see) that the new digital radio systems will allow all regional LEAs to talk to each other. So, it's easier than ever.

Anyway, like I say, this happens some places. Fewer all the time due to complacency I guess. Get a mindset of security and verification and implementation issues would be solved right away.

The problem with transmitting photos of the badges is that eventually those photos might be easily misused if they get into the wrong hands somewhere along the line. Easier to doctor a photo than to mess with some biometric or other encoded data in the badge itself.

I've duplicated press passes for people on the fly - although it was a legitimate request from the organization's CEO. Once you have the layout and color scheme it's pathetically easy to duplicate most forms of ID. The software I was using is freely available, although Photoshop works nicely as well.

"'The only solution, if this counts as one, is to move to real-time verification.'

I would expect law-enforcement agencies to strenuously oppose this..."

It's worse than worse than that...at least for public law enforcement in the USA. The power gradient is flowing the wrong way for this to work during police interactions with citizens. I just don't see any of the following scenarions ever happening...at least outside of a Heinlein novel. "Thanks for pulling me over, officer. May I validate your credentials before we proceed?" "Wow, a no knock warrant? Let me scan your helmet barcode." "Hmmn, your badge number comes back as invalid. This interaction is now over."

In military settings, and some federal access control scenarios, the gatekeepers may use force to fulfill their mission. The power gradient is either more balanced, or flowing the other way. The defenders' options run from "No scan, no access" to "Comply or die."

"who prove their identity (two forms of ID, my record of birth and passport is what I used but there's a variety of documents it's just got to be one from column A and one from column B)."

Oh dear so you realy didn't offer proof of identity at all...

For those who don't get it (yet)

A birth certificate is a record of an event (a birth) at a time and place within a juresdiction, and the allocation of a non exclusive lable (name) to the product of the event (the baby).

It is not never was and in it's current form can never be a method of identity.

A Passport is a document that supposadly identifies an individual by the details on the birth certifficate and in addition a photograph that has effectivly been signed anonymously by an effectivly unknown individual...

So that's all OK then ;)

Seriously as Stella Rimington (who was head of a British Intelegance agency) poointed out very publicaly, it realy is not possible to prove who you are.

And this is one of the reasons you should treat all ID documents with compleate contempt they are compleatly usless. All they realy say is "we named entity", "have assumed", "without any proof", "that this document identifies" "the person named" who might or might not be the person presenting it "and we want you to trust us in this".

In several EU states, citizens as from a certain age are required to always carry their id cards with them. The same goes for foreigners that need to carry passport, work permit or similar document at any given time. Failure to do so is punishable with an administrative fine. If there is reasonable cause to do so, a LEO can ask a citizen for his/her identification.

Likewise, any LEO approaching a citizen can be asked to identify himself, and needs to do so spontaneously when not in uniform. Examples of their id cards can be found on the official LEA websites. Sofar, these have proven to be very difficult to forge and in due time will become smartcards too.

There have been efforts to generalise both over the entire EU, but as usual the British are less than cooperative 8-).

I'm not saying this is a full-proof solution, but at least it is a good start as compared to states where no mandatory identification of LEO's exists at all and any idiot can go buy/hire himself a uniform and get the matching badge for 50 cents at the local toy store.

Re batch querying, it also introduces the attack vector where the criminal queries successive batch numbers until he finds the picture of an officer who looks like him, and then assumes that officer's identity to do his nefarious deeds. When he presents the ID with that number and the target verifies it, he gets back a picture that looks very much like the criminal.

Couple a fake law enforcement badge with some decent social engineering skills and you can break into ANY system. I'm reminded of a story on page 60 of the Hafner/Markoff book Cyberpunk, in which someone claimed to obtain access to a system via intimidation:

"This is Specialist Buchanan calling on behalf of Major Hastings. He's been trying to access his account on this system and hasn't been able to get through and he's like to know WHY....Okay, look, I'm not going to screw around here. What is your name, rank, and serial number?"

Any system that relies on matching whats produced to what is known is inherently flawed. To verify a signature, one has to know the signature in advance, which is all thats required to forge it. Same goes with badges.

Active, asymmetric crypto is the only real solution. Embed active RFID chips in badges, and put RFID readers at secure zones. It doesn't let the average joe verify it, but thats not the place where verifying those badges carries a large risk.

I do like the idea of taking a picture with an app, which does the verification for you. It could check if the officer is local or not, to give an indication if the badge is real. An agent that only works out of California would flag as being odd if it turned up in New York, even if it was still valid.

"And even if they wanted to verify the badge, there's no real way for them to do so."

Poppycock.

When the officer is at your door, you ask them "which office do you work out of, and who is your supervisor". Politely ask them to wait while you call up that office. On a number that *you* look up, not the number they give you.

Ask to speak to their supervisor (the secretary of their department will do) and say "There's a John Doe here who claims to work for your department. Can you describe him to me?"

This will work for anyone - LEO, company salesmen, repairmen, temp workers - the lot.

It hinges on the direction of verification. If *I* call the workplace using the publicly advertised number, then that's extremely hard to spoof. If *they* present verification, then that's rather easy to spoof.

Of course, all the implications about wasting the LEO's time while this is taking place, and the effect on their demeanor.

A long-term employee of my firm left to "go to work for the military."

Some years later a man in a dark suit appeared in my office demanding to see the long-ago employee's employment records.

The man said he was with the military's background checking service and flashed a badge.

I told him that employment records were confidential. But, I would allow him to see the records if I could get a COPY of his badge (the one he just flashed) and verify his identity.

He told me that it would be illegal for me to copy his badge and that this was the FIRST time in his lengthy career that anyone had even questioned his authority to see the records he was demanding or even asked to verify and record his identity.

Conclusion:
This man, dressed in a dark suit with a "badge" went from private employer to private employer, all across the country, for years at a time, reading and copying former employee records and interviewing supervisors and colleagues of long-ago employees with absolute impunity and exercising absolute authority to do so, without so much as a whimper of opposition or questioning.

Great article and good point about real time authentification Bruce. I agree. I wonder if the problem is that the technology of watching isn't shared with the judges/legislators yet. Obviously most of us citizens don't know about the chips in our new cars, in our drivers' licenses, etc.

With the myriad ways to track the rest of us citizens, perfect or imperfect, there should be ways to track in realtime the others. The watchers, the police, the FBI, all the ones who need safeguards to prevent abuses/impersonation.

Like with the GETS/WPS cards for cellphone network folks who participate in civil defense tracking, nobody apparently keeps track of their use or misuse of the phones.

So you borrow your girlfriend's dad's gets/wps code use the cellphone for it, and listen in on the audio for the domestic terror program. Nobody knows that you aren't someone authorized, you know the dial up code and the pin. Nobody audits the vehicular surveillance.

So you could literally listen in on a domestic terror job and participate in it, without the paying agencies knowing. You could pass around the phone used to eavesdrop in realtime audio transmissions from vehicular taps, and nobody authenticates that its you and you have permission.

You literally have quasi police powers and nobody verifies that its you. You can be in vehicular surveillance patterns and participate illegally. So all this realtime stuff for the watchers isn't watched, isn't policed, and isn't authenticated in real time.

Can you see the potential for criminals to abuse this? Its a perfect opening for actually organizing crime. There's no control of information as observers talk to anyone, and in front of anyone, and no cops there to say "you can't give your cousin that cellphone/with the GETS pin."

Nobody cross audits house taps, phone taps, or computer taps. So if the house tap person is a contractor who might be related to someone who is participating in illegal activity, say dealing dope, and he or she hears that the subject saw something, they can call their buddies and warn them. There isn't anyone watching the watchers in realtime taps/bugs.

yet I wonder with all the observer misconduct on my case why they aren't listening when the observers speak in my presence and I have the phone, saying things like:
"the police can't help her she's stupid to go to them." (right after the assault) There's just a contractor in the realtime listening, not a cop.

There's no realtime authentification or policing of observations where citizens have police powers. I wonder if the FBI even took the trouble to think that citizens watching citizens needed to be policed?

Security is only as good as the adherence to the security. Even with wonderful, perfectly clear, unforgeable biometric ID cards, the problem will persist so long as the IDs aren't *checked*.

For example, I once entered a USMC base using the CAC of a co-worker: me, a 30-yr-old male with brown hair, her a 40-yr-old woman with blond hair. Completely obvious that I wasn't the correct bearer of the card. But the soldier manning the gate waved me through.

This is where usability of security comes into play. He waved me through because the process of actually looking at the IDs was too cumbersome to perform for each entrant. If this process had been easier, or there been more resources for checking IDs, I would not have gotten onto the base.

How would real-time badge verification work? Two words: ubiquitous wireless and a small portable personal reader set to a standard.

It's like the cyberpunk stories like Shadowrun where everybody carries a standard "chip reader". When you want to verify something, you "slot a chip" and the device communicates with the authority server. So if you want to make a purchase, you key in some credit and your ID code on someone's reader, their reader contacts your bank and verifies the transfer of funds.

Same with ID: cop stops you, slots your chip, verifies your ID with picture, etc. just like cops do now with their cruiser computers, only a smaller device.

Obviously this requires major infrastructure redesign.

And of course, in the Shadowrun world, hackers hack this system all the time to set up fake IDs.

Questioning the ID of a real cop will nearly always get you to the jail pretty quick -- resisting arrest or breaking some of the many discretionary laws, and asking for a supervisor will also. I know this from sad experience. What world some people live in where you can ask a cop to wait while you verify his ID I'd like to know about, it isn't this one. What happens with a fake cop, I have no clue.

I used to work in some pretty restricted access places (heck, the name of my clearance was itself a secret), and had a fancy picture ID with the "right secret border" saying I could go pretty much anywhere, because the nature of my job then required that -- I was liaison between two commercial companies and the government for a computer system development that funneled all the "secrets" to military analysts working the war room. The real security, though, was that the guards knew me (and everyone else), we were all nice to them, treated them as humans, and they remembered us, often letting us in, badge or not (bad for them if they got caught doing that, but hey, humans are human -- and they'd not let someone in *with* a badge without some issues if they didn't know the guy -- even civil servants are sometimes good guards). This was pretty decent security in the various vaults and computer rooms (Pentagon) I frequented mostly. We had no breaks in security, except one in the pentagon which was hilarious (and was a red team on "our side" anyway).

They impersonated a bomb squad, complete with official looking tools and paraphernalia, and rushed up to the vault door of the NMIC, waved badges but were obviously in such a hurry and shouting about imminent danger the guards just pushed the door lock buttons and scattered. The red team then took their wheeled mini dumpster into the secure area and proceeded to remove all the "washing machine" disk platters (which tells you about when this was), put them in the "Bomb disposal container", then rush back out, got on the metro, and back to their office in crystal city nearby. The whole thing didn't take half an hour round trip.

Meanwhile, on the site, it took nearly an hour for anyone to reenter the computer room, as no "all clear" had been sounded, and the first they knew of the theft was a call from the red team offering them their disks back.

Needless to say, some heads were severely bashed over that one, if not rolled. But it was funny if you weren't one of them.

Oh, and about the FBI's badges: I read a story once, I don't know if it's true or not. Back in the Cold War days, a Soviet agent allowed himself to be spotted and tracked by the FBI back to his apartment. When agents entered the apartment, it blew up. The Soviet agent then collected the dead agents IDs, had duplicates made and used them to penetrate secure facilities in Washington.

If you want an FBI ID, you get one the same way insurgents get their initial weapons in the beginning of any insurgency. You ambush someone who has one and steal his, risky or not.

Which, by the way, also demonstrates the futility of "gun control" - unless you disarm all law enforcement.

Back in the day, when New York street gangs wanted to get a gun, they just lured some rookie cop down an alley, jumped him, bashed him, took the gun and ran.

Even if you manage to "ban" all civilian handguns, criminals will get their guns this way - and also by way of the massive black market that will result from exactly such a law. Not to mention all the military armories that have such crappy security that 90,000 weapons went missing in Iraq under Petraeus' watchful eyes.

Quote: Gang members and criminals nationwide are targeting law enforcement officials, military, government vehicles, and residences in search of weapons, equipment, police badges, body armor, and uniforms.a These incidents suggest that some gangs are becoming more brazen, tactical, and willing to engage law enforcement and rival gang members in potentially lethal encounters. The National Gang Intelligence Center assesses that these thefts could also allow gang members and criminals to impersonate law enforcement officers to gain better access to their targets.

Noticed that did you? It's proof. For a given value of 'proof'. It can be gamed (has to be for witness protection program people). Likely there is no way to PROVE identity like theroms can be proved.

There is a piece I left out. The cards are only issued to people who are sponsored by a federal agency and that agency foots the bill for a 'personal suitability screening'. What we call background investigations. Given the nature of most government IT systems that background screen for a 'position of public trust' is a NACI (National Agency Check and local records check with Interviews and usually a financial records check).

So for a contractor (who has to validate citizenship/right to work of their employees and maintain finacial records) the contract is vetting the person to the agency, the agency then has an OPM investigation performed, then represents the validity of that investigation to HSPD12 stations (they are all over the country) who validates identification from 2 state or government issued (the usual term these days).

What it really does is establish the link between the name/proffession/other government identities/ssn AND biometrics (photo and prints) stores them forever and that link of data can (so goes the theory) only be used by that individual.

Again Identity isn't some property we inherently have. It's given to us as part of a relationship.

There is a casino across the road from my office. When I entered the building one lunchtime, the security guard asked me to keep my workplace ID badge in my pocket while inside.

As far as I can tell it was because there are so many different kinds of ID in use in the casino that I could easily be mistaken by the patrons or staff for some kind of official. This doesn't seem like a good idea.

"Also, purchased was the badge for the Defense Criminal Investigative Service (DCIS)."

What, DCIS only has one badge that they all share? :)

Scanning the verification site to collect officer IDs shouldn't be a problem in practice if you use something other than the visible badge number as the key. A QR-code variant barcode on the ID/badge would allow a large and sparse key space (think

Combine that with annual reissue of the IDs using a new key ID and retiring of the old key ID to reduce the lifetime of any IDs that were successfully gathered.

The ability to scann a badge number doesn't allow sequential scanning if implemented properly. Have a badge number with a 64bit random key appended to the main number and it should be OK.

Of course if the Mafia want a list of police officers then they can stake-out courts (which tend to be surrounded by TV journalists carrying big cameras) and research the people who visit. Also for a long plan they could infiltrate the police academy and get a complete list of all students and then track the ones that don't drop out.

I recently attended a lecture by an employee of a LEO. He mentioned the practice of criminal creating dossiers of information on cops and then publishing them on the net in revenge for being arrested. Maybe in a few years a Russian web site will have an index of all cops in your area searchable by description etc.

That's one reason, but the security guard was also doing you a favour. Many companies I've worked for - especially those serious about their security - have strict guidelines about wearing workplace badges off premises. In essence, you don't, because it gives you away to whomever is doing intelligence gathering on the place you're working at. He may try to get your badge or use social engineering skills to learn more about the place. I have known several people that were seriously disciplined for ignoring this.

PS> The reason DL's have diminished in value is because everyone uses them. One of the best sources for a base information set is to steal the PC from a video rental store... Name, Address, DoB, DL#... sometimes SSN, credit card number...

Many good ideas and concerns posted about this. Couple the QRC containing a 64 bit random key with a 4 digit PIN.

Joe Public would scan the idea with their phone and would then be prompted for that credential's PIN. Ask the officer for his verification code. It matches and the photo, agency info, et al is then provided.

The officer could (and should) change his PIN frequently and should be notified each time someone verifies his ID.

@Richard: I have to say, that sounds like a movie plot. Typically, unless a war is going on and they're in here as saboteurs, a foreign agent is not going to use such a violent method. For sure, he'd be the first spy executed on US soil unless the Russians could offer us up someone very very important. Also, I can't imagine him getting very far with the dead agent's badges, you don't want a big bang before achieving your mission. Of course, in a combat zone, all bets are off.

It seems like this would be the easiest problem to resolve. One of the comments said 40 years now this has been going on? Seriously!
Drivers licenses and passports are filled with so many watermarks and holograms, hell even cash with denominations over 1$ come with more security then necessary.
Then there's also things like PIN codes, automated verification hotlines (Call the number, put in their employee number or something, get an instant match), RFID, hell why not use anal probing while we're at it?
But yeah, this is a really weak link. And you know what they say about chains and weak links.

If identity documents could be made smart enough to recognize and challenge each other (be that a descendant of today's smartphone or even a fancy smartcard with some rudimentary graphical output), then a LEO requesting your identification would not be able to avoid doing a mutual authentication, nor would likely think twice about doing so (avoiding the resisting arrest/failing to grovel problem). Touch your card to the cop's card, and both cards can then show the relevant information from the other card (and log the event). Likely, the cop's card would get more information from your card then you get from the cop's card. But if your card shows his or her picture and a red "LEO" indicator, then at least you know someone put more effort into it than some clown with Photoshop and a color printer. If a network is available, this could do real-time verification; if not, it could fall back to only checking digital signatures.

Alternately, I suppose one might be able to find some kind of drug to induce Mr. Monk-like OCD in all citizens, and then have weekly seminars where the nuances of all valid badges, shields, and other forms of identification are carefully studied.

None of this solves the problem where the attacker derives their authority from a less complicated source (e.g., a gun).

Phil said: None of this solves the problem where the attacker derives their authority from a less complicated source (e.g., a gun).

When it comes down to it, isn't that what law enforcement and the GOVT does? The reason governments exist is because no one has figured out how to maintain a peaceful and orderly society without a legitimized use of force. One just hopes the good guys outgun the bad.

That's why Hezbollah and drug cartels are so entrenched, they've setup Quasi governments that are stronger than the legitimate one.

Real-time verification just sounds utopian to me. A police officer shows me his badge, and what am I supposed to do? grab my smartphone, take a picture, send it somewhere and receive a confirmation? What if I don't have such device? what if there's no coverage? and how do we make sure that this whole system is secure? I see all sorts of complications here.
I'm in favor of an old-style approach. Security is a trade-off between real-time verification with facial recognition over the air and some guy flashing a random badge.
If this guy is driving (what seems like) a police car, wears (what seems like) a police uniform, listens to (what seems like) police radio, shows me (what seems like) a police badge, either he's a policeman or he found worth faking all that stuff just to cheat me.
The thruth is that the robustness of the provided authentication depends on what we're protecting.

"... he's a policeman or he found worth faking all that stuff just to cheat me."

Well as is known from many many attacks world wide a uniform etc is used to get close enough to attack and kill individuals and groups of people.

Thus as potential murder (or worse) victims you and your family should be demanding authentication that is as strong as possible to be checked from as far away as is possible.

From that perspective what you need is a military style IFF system.

So all LEO's need some kind of secure responder mounted in a badge on their hat or center of their chest. You shine your laser augmented distant credential reader at it and it responds with a "secure non replayable Friend code". If the response is valid then you can move to the "approach one and be recognised" phase, if not then you can take appropriate measures.

Though I'm not sure how the LEO's would feel about having what is effectivly a gun sight pointed at their head or CBM.

And this is the crux of the matter for either side the worst case senario is getting captured/killed. For both parties their best option to avoid this is distance and minimum observable profile...

Establishing trust non remotely is difficult enough doing it at several hundred yards is going to prove interesting to put it mildly.

In some countries they work on the "short straw" system for IFF. One person gets the short straw and goes forward to meet the potential enemy. Behind the person is their squad mates with appropriate weaponary should anything go wrong they put down a lot of heavy fire.

The problamatic assumption is the enemy knows this and would not ordinarily make contact this way. However with suicied attackers you just don't know what they will do. However the short straw system should limit tthe casualties to one on each side...

Basicaly it is a very hard problem in risk-v-trust (trust in the normal sense) and fraught with dangers.

The other problem with verification is that you have to know beforehand who to verify it with. Because you can't verify it with information given to you by aleged LEO. This is ok in a closed system (say within the DoD) but as other have pointed out there are 100s and 100s of police organization in the U.S. And once everybody has the authority to verify, than everybody gets the information that you receive as part of the verification.

Most people are reluctant to challenge authority. This isn't helped when the 'authority' in question throws their weight around, blusters and generally does their best to create an expectation that their authority will be honored not because it's an exigent circumstance, but because they're 'special.'

@jbscpa "He told me that it would be illegal for me to copy his badge and that this was the FIRST time in his lengthy career that anyone had even questioned his authority to see the records he was demanding or even asked to verify and record his identity."

I have heard this line both personally and passed along by third parties. I think it's a standard lie taught on the first or second day of investigator school.

@Danny

"This particular issue is one of the few that keeps me up some nights. There's no protection. From a professional standpoint, a security professional can do nothing against this. "

This is an absolutely standard security problem and there are standard answers to it. At a high security facility, a piece of metal is not worth its recycle value in terms of getting inside. The guard should ask to see a photo ID and verify name and face against the ID. The guard should look up the phone number for that agency (never use a number provided by the visitor!) and call their dispatch to verify the ID and that they are on duty and have a legitimate need to do what they want to do. Until identity is verified, no one gets in -- and even on-duty police are not getting in without an emergency situation, management permission or a warrant.

Post orders for security control points should specify what actions are to be taken in both emergencies (i.e. showing up with lights and siren at the gate, banging on the door, etc.) and non-emergency situations (flashing a badge to demand entry).

It helps to have bullet-resistant plastic between the guard and trouble, but it is not a requirement. If the "cop" resorts to force, fine, treat it as any other robbery attempt and call for (more and/or real) police as soon as possible. Looking stupid and honoring the threat buys time for a safer outcome.

As for the private person pulled over by a quasi-cop on a dark highway late at night, the thing to do if you are suspicious is to call 911. If highly suspicious, drive safely at a moderate speed with your hazard lights on to a well-lighted area with people around (24-hour gas station, restaurant, etc.) Either the nice 911 dispatcher will confirm that you are dealing with the police, or they will send units to deal with the impersonator, or you will collect enough real police units that you can safely stop now. In any case, no harm done.

The check-and-balance on police misconduct in America is ultimately the courtroom. One does have to stay alive to testify, which in most cases involves keeping one's hands in plain sight and complying with commands. Suddenly reaching for a cell phone (or anything else) is right out.

I've heard a number of stories about local police bouncing off of military security, where in some cases even a warrant is not enough to get past the line on the ground.

Two additional tales of authentication:

I know one security company whose dispatch had to call the Highway Patrol when two uniformed deputies from a county sheriff's department flashed credentials to a patrol guard to explain away going into an office complex at 2 AM and loading their patrol cars with computers and boxes of paperwork. This seemed very wrong, but the guard wasn't about to argue with two guys with guns. The sheriff's department refused to come out as the incident was outside their jurisdiction (!) and the officers were not listed as on duty (!!).

Turned out it was a business dispute and they were removing disputed property from a business co-owned by one of the deputies. Neither Highway Patrol nor the sheriff's department were amused; both lost their jobs.

2) The police called in the late evening to verify someone's employment. Yes, a person by that name was our employee -- and he was not only working at the time, but viewable on camera sitting at a quiet desk with no police in sight. The police asked him to come and meet them a few blocks away. On his arrival, the man who had burglarized his car and stolen his ID panicked, attempted to run away and was arrested.

You can't do regular IFF either. Consider "unmarked" cars. You need something that will respond properly to a challenge only when the officer it belongs to wants it to.

If you're going to invent an impossible infrastructure for real-time queries, it should be fairly easy to do it in a way that isn't vulnerable to compiling a list of officers or whoever. All the civilian needs to know is whether the badge belongs to some officer and hasn't been revoked. Which officer is relevant only if there's a complaint down the line, at which point more information can be divulged in a less-copyable way.

It also doesn't help that, for private citizens, even when laws state that an officer from some mystery agency must be 'properly identified' the legal system takes that to mean 'wearing a shirt with a patch on the shoulder.'

Even though we all know that there are people who routinely pose as officials, police etc. if you dare question them - even if their agency is unknown to you and their conduct is unprofessional - the cost in a courtroom can be extreme.

Can this be fought on appeal? Absolutely - if you can afford to. The message to citizens is, "If someone claims authority you'd best assume that they have it."

And then the police wonder why people do as they are told when faced with imposters...

"Thus as potential murder (or worse) victims you and your family should be demanding authentication that is as strong as possible to be checked from as far away as is possible."

There's being reasonable and then there is paranoia, considering the actual risks. In the US, the remote verification system is 911. In any case, I suspect that I am at greater risk from a LEO than someone impersonating one, at least in the US. Especially if I question their identity and hence their authority.

"Also, I can't imagine him getting very far with the dead agent's badges"

No, presumably he used the badges to make ones with a fake ID. As we've seen in the post, no one verifies the ID, so he could get in a lot of places just flashing the badge.

"you don't want a big bang before achieving your mission."

Actually I saw it as an example of the resourcefulness of espionage agents. They go as far as they have to go to complete the mission. I can easily see a Russian agent doing such a thing, depending on the cost/benefit as to what his original mission actually was. I just don't know if it ever really happened.

Oh, and you're probably right that blowing up an apartment is not the easiest way. The easiest way is just to identify an FBI agent, follow him when he goes home, put a bullet in his head and take his ID. Slightly risky if your approach isn't good, as the agent is armed, too, but definitely feasible and a lot quieter.

"There's being reasonable and then there is paranoia, considering the actual risks"

The risks are very much dependent on the place and time as holiday makers in a certain Arab holiday destination in Africa are currently finding out. Law and order has basicaly broken down as the countries president flees in the face of organised (supposadly via twitter/facebook) opposition by the people...

The point is it might appear paranoid but it has happened and is happening in many parts of the world sometimes as with many sudden political changed overnight. And although rare it has happend in the US. Thus any system that is going to be of any use has to take that level of lack of trust, into account or not function. That is any security system that does not take the tails on the bell curve into account will find that's where it fails...

That said the fact you say,

"I suspect that I am at greater risk from a LEO than someone impersonating one, at least in the US. Especially if I question their identity and hence their authority."

Shows that you don't have trust in your LEO's to be fair or impartial. In the UK although we do have LEO's that do very occassionaly overstep the mark more often than the public would like (we want zero occurance). The public out cry that arises on such publicaly known cases tends to keep the occurance well below rare.

But importantly by and large UK LEO's are not armed and thus they don't seek to "push authority" unless required. Mainly because they will have to deal with the blowback of such behaviour in a more presonal and physical maner than either party wants. Thus they generaly just accept having their identity queried and verified as it defuses argument and thus establishes they have the lawfull authority (and many rank and file officers are none to impressed with the knuckle dragging types, as they realise it makes their life harder).

A pilot I know described an incident to me. He was going through security and a half dozen men in black uniforms, wearing helmets and carrying guns marched right through and on to an aircraft. There was no badge or ID checking, they just went right in. Security people and police just stepped back as did the passengers. It turned out to be a drill. It wouldn't get the bad guys in the air, but they could take over whatever they like around the airport in a jiffy.

I think many posters did not actually read the linked report, as they raise points that the author of the report already addressed.

* whether or not any police collectors objected to it, unauthorised possession of Federal agency badges is already illegal in the USA and has been for some time. The report notes that the vendors of these badges were violating US law but with one exception all were operating outside US jurisdiction.

* whether or not any police officer would object to having ID that is subject to electronic verification, IT IS ALREADY THE CASE for federal officers. The point of the report was that this more robust ID has already been in service for years, but all the sites they investigated still permitted use of an obsolete authorisation method that had been sharply criticised just before the roll-out of the new system.

* whether or not it is an impossible nightmare to provide unified secure digital ID for all of America's myriad LEO agencies, for the ~100 Federal agencies, it is a done deal. They already have it. (Given that the report is about entering Federal facilities, the author was not much concerned about state IDs.) The problem is facilities allowing people in without it, even though it has been mandated for more than 6 years.

This has been a problem for a while. As long as there is no time pressure, I (as a police officer) always suggest that the person call 911 to verify who I am. I then use my handy-dandy police issued radio to tell my dispatcher to tell the call takers that someone is calling in to verify my identity.

Problem solved with a minimum of trouble.

The other problem that we run into all the time is to verify who we are over the phone. The 911 call hack works but it's even more of a pain then when I'm with someone in person.

And if the matter is emergent and there isn't time for the 911 call then you just have to make do.

Anon: Well done, and I thank you. However, about 20% of the police I've had to deal with as either respondent or complainant flat out refuse to offer ANY identification other than the blue shirt. No badge, no name, no ID.

One almost lost his life by cutting me off, jumping out of his car, getting in my face and refusing to "play that game," of IDing himself and department--as his car was not local, his demeanor aggressive and unprofessional, and I was carrying both a large amount of cash and a legal firearm.

As I and his chief (officer was a college cop, miles off campus, responding to a call from a "friend" who had a disagreement with me) had a polite, 30 minute call the next day, where our lengthy military backgrounds and respect for professional courtesy came up, I expect it had some effect on his next promotion cycle at least.

why does the us government allow people to openly make and sell all kinds of goverment security agency badges and stickers on the internet while the uk government does not appear to do the same. i personally like the look of us badges etc and i just bought some on the internet for their novelty value only. it brasses me off that i cant seem to buy uk badges in the same way. i am not a terroist and the way i see it is if we do have a brittish intel agency then why all this hidden in one way, yet quite openly listed on the internet and still refered to as mi5 when that is not its real name because it hasn't been called that for year. it use to be called brittish defence intelligence, but BDI, did not look so good since if you think of the initials and say them slowly you get, whos looking at you kid, beedeeye.